Anhui Huami Mi Fit 4.0.10 Unencrypted Update Check

2019.11.27
Credit: David Coomber
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Anhui Huami Mi Fit Android Application - Unencrypted Update Check -- https://www.info-sec.ca/advisories/Huami-Mi-Fit.html Overview "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) Issue The Anhui Huami Mi Fit Android application (version 4.0.10 and below), does not encrypt the connection when it checks for an update. Impact An attacker who can monitor network traffic may be able to tamper with the application's update function. Timeline October 21, 2019 - Attempted to obtain a security contact via an email to support@amazfit.com October 22, 2019 - Provided the details to CERT/CC October 23, 2019 - CERT/CC opened a case for tracking November 4, 2019 - Attempted to obtain a security contact via an email to security@xiaomi.com Solution Upgrade to version 4.0.11 or later


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top